b'FDIC\xe2\x80\x99s Virtual Supervisory Information on the Net (ViSION) Application\n\n(Report No. 04-027, July 30, 2004)\n\nSummary\n\nThe Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Virtual Supervisory Information on\nthe Net (ViSION) application was designed to accept and provide information from and\nfor the FDIC and other federal and state regulators in support of day-to-day operations.\nViSION contains information on all insured depository institutions. Users rely on\nViSION as a central repository for compiling, reviewing, analyzing, and managing\nfinancial, examination, and other data on financial institutions. The ViSION user\ncommunity includes FDIC executives, regional managers, case managers, review\nexaminers, field examiners, Division of Insurance and Research analysts, and federal\n(Board of Governors of the Federal Reserve System, Office of the Comptroller of the\nCurrency, and Office of Thrift Supervision) and state regulatory agencies.\n\nThe FDIC\xe2\x80\x99s Office of Inspector General has concluded an audit of the ViSION\napplication. The audit objective was to determine whether the application controls over\nViSION operational components were adequate. Specifically, using the guidance in the\nNational Institute of Standards and Technology (NIST) Draft Special Publication (SP)\n800-53, Recommended Security Controls for Federal Information Systems, dated October\n2003, we evaluated key management, operational, and technical controls to determine\nwhether they were sufficient to protect the confidentiality, integrity, and availability of\nthe information maintained in ViSION.\n\nWe concluded that, in general, the technical controls incorporated into ViSION provided\nadequate assurance that (1) it allowed only authorized user access, (2) approved access to\nspecific information in ViSION was based on need, and (3) the data had to pass\npredetermined edit checks before it was accepted by the system. However, ViSION\napplication management and operational controls needed improvement.\n\nRecommendations\n\nWe recommended that the Corporation develop, update, and implement key management\nand operational controls to protect the confidentiality, integrity, and availability of the\ninformation contained in the ViSION application.\n\nManagement Response\n\nThe Corporation\xe2\x80\x99s response adequately addressed our recommendations. The\nrecommendations are considered resolved but will remain undispositioned and open until\nwe have determined that agreed-to corrective actions are implemented and effective.\n\nThis report addresses issues associated with information security. Accordingly, we have\nnot made, nor do we intend to make, public release of the specific contents of the report.\n\x0c'